View Full Version : Can't Remove Vundo
My PC is infected with the Vundo virus (or some variant of it) and I can't get rid of it. When I tried to download the removal tool, my browser shut down every time I went to any page that had a reference to the virus. When I tried to run HijackThis, the same thing happeneded - the program shut down whenever I tried to run it.
I was able to download the removal tool from another PC and e-mail it to myself, but when I try to run it, I get an error message every three seconds asking me if I'm sure that I want to stop running the removal process.
I haven't seen any reference to this type of activity in the forum, so I'm not sure how to proceed.
When I ran Norton, it indicated that I had two Vundo viruses and that I needed to reboot to get rid of them. That process hasn't worked.
I was able to run vundo fix by hold down the "n" key to tell the program every 3 seconds that I don't want to abort the scan. Strangely, though, it said that it didn't detect vundo anywhere.
I ran Norton again and it said that I don't have any viruses, although I still have the same symptoms:
Can't run "hijackthis" or go to any web page that google shows when I do a search.
Can't go to any web page that google shows when I do a search on "vundo".
Porn pop-ups keep occurring.
My PC is running very slow - when I go to explorer, it takes 10 - 20 seconds to show my full list of directories.
pskelley
2007-03-25, 17:21
Welcome to the forum, sounds like you have some real problems and Vundo is probably part of them. I can't promise anything, especially with the issues you are having download the tools we need to use, but I will see what I can do if you will take the time to follow these directions.
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
You may also want to look here for something that may help:
http://forums.spybot.info/showthread.php?t=4394
There is little I can do until you figure out how to download and run the tools. You already figured out you can get the tools from another computer, you might also try to run them in safe mode.
Thanks
PSKelley - thanks for the reply. I'm not able to get into safe mode, and I can't run Hijackthis. I'm hoping that something within the Spybot scan or ActiveScan will give a clue to what the problem is. I noticed that when I check the running processes on my PC, there are several instances of SVCHOST.EXE running - any correlation?
Here is what Spybot found:
Avenue A Inc
Bfast
CasaleMedia
CurePCSolution
DoubleClick
Fastclick
Hitbox
KeyGenGuru
LinkSynergy
MediaPlex
PornTracker
SexList
SexTracker
Smitfraud-C.Toolbar888
Win32.small.ddx
If I run Spybot again after I've fixed these items, most of them show up again (with a couple of additions/subractions).
Here is my ActiveScan Log:
Adware:Adware/CWS.AlfaSearch C:\WINDOWS\system32\ccc.dll
Virus:w32/bagle.hx.worm Operating system
Spyware:spyware/searchcentrix Windows Registry
Hacktool:Exploit/ByteVerify C:\D&S\HP_Owner\App Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-39ae21c5.zip[Gummy.class]
Hacktool:Exploit/ByteVerify C:\D&S\HP_Owner\App Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-5925a075.zip[Gummy.class]
Adware:Adware/CWS.Searchmeup C:\D&S\HP_Owner\App Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-1e47ce80-314239b8.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup C:\D&S\HP_Owner\App Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-1e47ce80-314239b8.zip[Installer.class]
Hacktool:Exploit/ByteVerify C:\D&S\HP_Owner\App Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-1e47ce80-314239b8.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify C:\D&S\HP_Owner\App Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-1e47ce80-314239b8.zip[NewURLClassLoader.class]
Hacktool:Exploit/ByteVerify C:\D&S\HP_Owner\App Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv557.jar-64eaf3b5-4f841d8e.zip[Matrix.class]
Hacktool:Exploit/ByteVerify C:\D&S\HP_Owner\App Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv557.jar-64eaf3b5-4f841d8e.zip[Counter.class]
Hacktool:Exploit/ByteVerify C:\D&S\HP_Owner\App Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv557.jar-64eaf3b5-4f841d8e.zip[Dummy.class]
Hacktool:Exploit/ByteVerify C:\D&S\HP_Owner\App Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv557.jar-64eaf3b5-4f841d8e.zip[Parser.class]
Spyware:Cookie/YieldManager C:\D&S\Cookies\hp_owner@ad.yieldmanager[1].txt
Spyware:Cookie/adultfriendfinder C:\D&S\Cookies\hp_owner@adultfriendfinder[1].txt
Spyware:Cookie/Atlas DMT C:\D&S\Cookies\hp_owner@atdmt[2].txt
Spyware:Cookie/Atwola C:\D&S\Cookies\hp_owner@atwola[1].txt
Spyware:Cookie/Azjmp C:\D&S\Cookies\hp_owner@azjmp[2].txt
Spyware:Cookie/Bfast C:\D&S\Cookies\hp_owner@bfast[1].txt
Spyware:Cookie/Casalemedia C:\D&S\Cookies\hp_owner@casalemedia[2].txt
Spyware:Cookie/Ccbill C:\D&S\Cookies\hp_owner@ccbill[1].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter10.sextracker[1].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter14.sextracker[1].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter15.sextracker[1].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter16.sextracker[1].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter2.sextracker[2].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter3.sextracker[1].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter4.sextracker[2].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter6.sextracker[1].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter7.sextracker[2].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter8.sextracker[1].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@counter9.sextracker[1].txt
Spyware:Cookie/cs.sexcounter C:\D&S\Cookies\hp_owner@cs.sexcounter[2].txt
Spyware:Cookie/Doubleclick C:\D&S\Cookies\hp_owner@doubleclick[1].txt
Spyware:Cookie/DriveCleaner C:\D&S\Cookies\hp_owner@drivecleaner[2].txt
Spyware:Cookie/Hitbox C:\D&S\Cookies\hp_owner@ehg-dig.hitbox[1].txt
Spyware:Cookie/FastClick C:\D&S\Cookies\hp_owner@fastclick[2].txt
Spyware:Cookie/Findwhat C:\D&S\Cookies\hp_owner@findwhat[1].txt
Spyware:Cookie/Go C:\D&S\Cookies\hp_owner@go[2].txt
Spyware:Cookie/Hitbox C:\D&S\Cookies\hp_owner@hitbox[2].txt
Spyware:Cookie/MediaTickets C:\D&S\Cookies\hp_owner@kinghost[2].txt
Spyware:Cookie/Linksynergy C:\D&S\Cookies\hp_owner@linksynergy[2].txt
Spyware:Cookie/Mediaplex C:\D&S\Cookies\hp_owner@mediaplex[1].txt
Spyware:Cookie/Outster C:\D&S\Cookies\hp_owner@outster[2].txt
Spyware:Cookie/Overture C:\D&S\Cookies\hp_owner@overture[2].txt
Spyware:Cookie/RealMedia C:\D&S\Cookies\hp_owner@realmedia[1].txt
Spyware:Cookie/SexList C:\D&S\Cookies\hp_owner@sexlist[1].txt
Spyware:Cookie/Sextracker C:\D&S\Cookies\hp_owner@sextracker[1].txt
Spyware:Cookie/SpyLog C:\D&S\Cookies\hp_owner@spylog[1].txt
Spyware:Cookie/DriveCleaner C:\D&S\Cookies\hp_owner@stats.drivecleaner[2].txt
Spyware:Cookie/Toplist C:\D&S\Cookies\hp_owner@toplist[1].txt
Spyware:Cookie/ademails C:\D&S\Cookies\hp_owner@www.ademails[1].txt
Spyware:Cookie/DriveCleaner C:\D&S\Cookies\hp_owner@www.drivecleaner[2].txt
Spyware:Cookie/Cgi-bin C:\D&S\Cookies\hp_owner@www3.addfreestats[2].txt
Spyware:Cookie/Yadro C:\D&S\Cookies\hp_owner@yadro[1].txt
Potentially unwanted tool:Application/Processor C:\D&S\HP_Owner\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Alanchum.NX!CME-711 Personal Folders\Junk E-mail\A killer at 11, he's free at 21 and kill again!\Full Story.exe
Virus:W32/Nuwar.D.worm Personal Folders\Junk E-mail\Radical Muslim drinking enemies' blood.\Full Clip.exe
Potentially unwanted tool:Application/KillApp.B C:\hp\bin\KillIt.exe
Spyware:Spyware/Virtumonde C:\WINDOWS\system32\efcbywv.dll
Spyware:Spyware/Virtumonde C:\WINDOWS\system32\fccdddc.dll
Spyware:Spyware/Virtumonde C:\WINDOWS\system32\hggggfg.dll
Virus:Trj/Mitglieder.MU C:\WINDOWS\system32\hldrrr.exe
Spyware:Spyware/Vundo C:\WINDOWS\system32\nbbnwcyy.dll
Potentially unwanted tool:Application/Processor C:\WINDOWS\system32\Process.exe
Spyware:Spyware/Virtumonde C:\WINDOWS\system32\qomklif.dll
Spyware:Spyware/Virtumonde C:\WINDOWS\system32\ssqqqqo.dll
Virus:Trj/FireByPass.BF C:\WINDOWS\system32\winupdate5.exe
Spyware:Spyware/Virtumonde C:\WINDOWS\system32\xxywvtq.dll
pskelley
2007-03-31, 21:15
Thanks for the feedback, I will do what I can to help without the information I really need. Where is this computer being taken? It is fairly obvious the computer is going to get infected.
First thing I suggest is that you keep it offline unless you are troubleshooting until we get it cleaned up.
Start like this: Clean the Java csche:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml
Now follow these instructions:
* Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.
When you run Vundofix it may take several times for the tools to locate and delete the bad stuff. Watch the fix and make sure all Vundo files say "have been deleted"
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Once you get to this point, run and post another Activescan log along with the Vundofix report. See if you can post a HJT log now also.
Thanks
PSKelley - thanks again. I think I'm getting close.
I didn't understand your 2nd sentence (where is the computer being taken)? This is my home PC (desktop).
I tried to delete all of the Java cache, but there were a few files that were in use and couldn't be deleted.
When I tried to delete my browser history, it got stuck in "deleting history" loop without making any apparent progress.
I ran Vundo fix and was able to fix the problems found - here is the log:
C:\WINDOWS\system32\awttuuu.dll
C:\WINDOWS\system32\ccc.dll
C:\WINDOWS\system32\efcbywv.dll
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.tmp
C:\WINDOWS\system32\fccccdb.dll
C:\WINDOWS\system32\fccdddc.dll
C:\WINDOWS\system32\hggggfg.dll
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\ljjjkjj.dll
C:\WINDOWS\system32\ljjklll.dll
C:\WINDOWS\system32\nbbnwcyy.dll
C:\WINDOWS\system32\nnnmnnl.dll
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\qomklif.dll
C:\WINDOWS\system32\ssqqqqo.dll
C:\WINDOWS\system32\vtuturq.dll
C:\WINDOWS\system32\xxywvtq.dll
After this, I was finally able to run Hijackthis. Here is what was found:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {091230C4-E717-4C60-85D0-40AAB1FD90CD} - C:\WINDOWS\system32\pmnlj.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {36DBB6C9-8A6C-B173-FA69-03F03F5CAD69} - C:\WINDOWS\system32\ykelwnd.dll
O2 - BHO: (no name) - {371A7A7A-8073-48CD-9CA7-13AF75A7211A} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {4464AD54-CDE4-4247-7F0D-0300702CA111} - C:\WINDOWS\system32\xydcsom.dll
O2 - BHO: (no name) - {5712955B-0D1C-00E9-FD9D-01B8FD57EE49} - C:\WINDOWS\system32\bimqvzj.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\nbbnwcyy.dll (file missing)
O2 - BHO: (no name) - {65B18E34-17F4-6F2C-AB3F-69E339EBA99E} - C:\WINDOWS\system32\zna.dll (file missing)
O2 - BHO: (no name) - {6B19EB63-B4E5-A21A-5C64-013A02D2B87B} - C:\WINDOWS\system32\hxglzze.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {B5215AD8-AC9D-4E9B-9692-FD39BE518210} - C:\WINDOWS\system32\pmnli.dll (file missing)
O2 - BHO: (no name) - {F4D2B3BE-B4BA-4E64-822A-97663C6AA2Fc} - C:\WINDOWS\system32\oscxbfwn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [acenotes] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136066992546
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = el.nec.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = el.nec.com
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\ccc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Is there anything else that I should do?
pskelley
2007-04-01, 01:18
Thanks for the information and the feedback, that is not a complete Vundofix report. Would you open that C:\vundofix.txt and then click on Edit > Select all. Post the highlited information, I have to see it all to be sure all of the infection has been removed. If you do not have the report, run the fix again, and post the results.
You are doing the same thing with the HJT scan, cutting off the top of the report. Please run a scan and save the notepad, then do the same thing. Edit > Select All > copy and paste everything highlited to this topic. I will try to work with this partial log to post the next phase of the cleanup.
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {091230C4-E717-4C60-85D0-40AAB1FD90CD} - C:\WINDOWS\system32\pmnlj.dll (file missing)
O2 - BHO: (no name) - {36DBB6C9-8A6C-B173-FA69-03F03F5CAD69} - C:\WINDOWS\system32\ykelwnd.dll
O2 - BHO: (no name) - {371A7A7A-8073-48CD-9CA7-13AF75A7211A} - C:\WINDOWS\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {4464AD54-CDE4-4247-7F0D-0300702CA111} - C:\WINDOWS\system32\xydcsom.dll
O2 - BHO: (no name) - {5712955B-0D1C-00E9-FD9D-01B8FD57EE49} - C:\WINDOWS\system32\bimqvzj.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\nbbnwcyy.dll (file missing)
O2 - BHO: (no name) - {65B18E34-17F4-6F2C-AB3F-69E339EBA99E} - C:\WINDOWS\system32\zna.dll (file missing)
O2 - BHO: (no name) - {6B19EB63-B4E5-A21A-5C64-013A02D2B87B} - C:\WINDOWS\system32\hxglzze.dll
O2 - BHO: (no name) - {B5215AD8-AC9D-4E9B-9692-FD39BE518210} - C:\WINDOWS\system32\pmnli.dll (file missing)
O2 - BHO: (no name) - {F4D2B3BE-B4BA-4E64-822A-97663C6AA2Fc} - C:\WINDOWS\system32\oscxbfwn.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll (file missing)
O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\ccc.dll (file missing)
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the complete results from the Vundofix report, and a new HJT log that is complete. Let me know how the computer is running now, and there is more we should do.
Thanks
Your Java program is out of date and may be the reason for your infections, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0\ <<< out of date, download the newest version and uninstall all old versions in Add Remove Programs.
Sorry about the incomplete reports. I got an error that I had too many characters in my post, so I was trying to condense the reports to get them to fit.
I ran Vundofix again, and it didn't find any infected files.
Here is the latest Hijackthis log after I removed the files that you identified.
Logfile of HijackThis v1.99.1
Scan saved at 9:16:22 AM, on 4/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [acenotes] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136066992546
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = el.nec.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = el.nec.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
pskelley
2007-04-01, 18:39
When you get that message about the post being to big, break it into multiple posts.
This HJT log looks very good, how is the computer running? Let's do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
PSKelley - thanks again for all your help. Spybot, Norton AV, and AdAware all show that I'm clean now and I don't seem to have any other symptoms.
pskelley
2007-04-07, 19:17
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks